Re: [squid-users] Warning

From: Amos Jeffries <>
Date: Tue, 30 Aug 2011 17:08:18 +1200

On 30/08/11 08:07, Igor Rafael wrote:
> Hello,
> What might be causing this Warning?!
> "WARNING: Forwarding loop detected for:
> Client: http_port:"

> See my config file :
> # Scenario 3. Mesh
> #cache_peer parent 3128 0 no-query round-robin
> cache_peer sibling 3128 3130 no-digest proxy-only
> cache_peer sibling 3128 3130 no-digest proxy-only
> cache_peer sibling 3128 3130 no-digest proxy-only
> #prefer_direct off
> ### END Scenario 3 ###
> # Basic configuration
> http_port 3128 transparent

It appears that this proxy is configured to perform BOTH of the traffic
operations which can lead to traffic loops.

I highly recommend using two http_port entries. 3128 for sibling
communications and moving the "transparent" to a second randomly chosen
port number. Your NAT settings will need updating to match that port.

  If this is a Linux box there are iptables mangle security rules that
need to be applied as well. Please compare your NAT settings against the
recommended configs:

Possibly the loop was from a peer. You will need to find out why the
request is coming from this proxy into the peers and back out again
here. And some way to prevent it happening.

   miss_access may be useful, wither here or in the siblings. It
prevents certain requests being relayed through the proxy using it.

> acl all src

Please use "acl all src all" if you have an old Squid. Or remove if this
is a 3.x release.

> icp_access deny all
> http_access allow all

Ouch. VERY unsafe. This is an open proxy. Whatever the firewall
situation around it is. Once that is breached this setup is a gaping
security hole to anywhere.

  I highly recommend creating an ACL of the LAN IPs from which you
accept traffic (ie the default localnet or our_networks definitions) and
changing that "allow all" into "allow localnet"


Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.15
   Beta testers wanted for
Received on Tue Aug 30 2011 - 05:08:33 MDT

This archive was generated by hypermail 2.2.0 : Tue Aug 30 2011 - 12:00:02 MDT